b'April 24, 2003\nSupplement to Audit Report No. 03-013, dated\nJanuary 31, 2003\n\n\nFDIC Procurement Credit Card Program\n\n\n\n\n                           ** This is not an audit report. **\n\n               This supplement contains copies of correspondence between\n               the Office of Inspector General (OIG) and the Division of\n               Administration (DOA) subsequent to the issuance of Audit\n               Report No. 03-013, dated January 31, 2003. The intent\n               of this supplement is to show progress made on the\n               resolution of matters that were unresolved at the time the\n               OIG issued the final report.\n\x0c                       TABLE OF CONTENTS\n\n\n\nI.    OIG Assessment of Management Response to the Final Report\n\n\n      Memorandum dated March 28, 2003, from the Assistant\n      Inspector General for Audits to the Director, Division of\n      Administration\n\n\n\nII.   Management Response to the Final Report\n\n      Memorandum dated February 28, 2003, from the Director,\n      Division of Administration, to the Assistant Inspector General for\n      Audits\n\x0cI.   OIG Assessment of Management Response to\n     the Final Report\n\x0cFederal Deposit Insurance Corporation                                                           Office of Audits\nWashington, D.C. 20434                                                              Office of Inspector General\n\n\n\n   DATE:                           March 28, 2003\n\n   MEMORANDUM TO:                  Arleas Upton Kea, Director\n                                   Division of Administration\n\n\n\n   FROM:                           Russell A. Rau\n                                   Assistant Inspector General for Audits\n\n\n   SUBJECT:                        Assessment of DOA Response to Final Report Entitled FDIC\n                                   Procurement Credit Card Program (Audit Report No. 03-013)\n\n\n   We have reviewed your February 28, 2003 memorandum replying to our request for the Division of\n   Administration (DOA) management to reconsider its response to unresolved\n   recommendations 2 and 3 contained in the subject audit report. We agree with your position that\n   corrective action is best directed towards the FDIC\xe2\x80\x99s general policies and practices governing food\n   and beverage expenditures in the conduct of official business, and we appreciate DOA\xe2\x80\x99s\n   reconsideration of our recommendations.\n\n   Based on your memorandum and a copy of your action plan entitled Revision/Clarification of FDIC\n   Policy on the Use of Corporate Funds for Food and Alcohol, we consider the two outstanding\n   recommendations in the subject report to be resolved. Our analysis of DOA\xe2\x80\x99s response to the two\n   recommendations is set forth below after the pertinent recommendations:\n\n   (1)      Define extravagant meals and refreshments and what constitutes an allowable and\n            unallowable expense for meal purchases using the procurement credit card.\n\n   (2)      Prohibit the purchase of alcoholic beverages using the procurement credit card.\n\n   OIG Analysis: These two recommendations relate to our findings that procurement credit cards\n   were used for meals and refreshments that could be considered \xe2\x80\x9cextravagant\xe2\x80\x9d and where the\n   business purpose was questionable based on existing FDIC policy. Also, charges included alcoholic\n   beverages, which is an expense for which the FDIC does not reimburse employees under its general\n   travel policies. DOA stated in its latest response that DOA will lead a cross-organizational team to\n   review existing corporate policy and practice related to the purchase of food and alcoholic beverages\n   in the conduct of official business. The review will be conducted by March 31, 2003 and DOA\n   believes that it will result in new corporate-wide policies and procedures, appropriate definitions,\n   rules for use, and approval levels for these two types of expenditures. DOA will forward the revised\n   policies and procedures to the OIG for review by April 15, 2003. The OIG will review the revised\n   policies and procedures upon completion and will determine whether changes to the policies and\n   procedures fully address our concerns. At this time, the\n\x0crecommendations are resolved; however, they will remain undispositioned and open until we have\ndetermined that planned corrective actions have been completed and are effective.\n\nNo further response is required from DOA management. We will continue to monitor\nimplementation of these actions. If you have any questions concerning the report, please contact me\nat (202) 416-2543 or Sharon M. Smith at (202) 416-2430. We appreciate the courtesies extended to\nthe audit staff.\n\ncc:    Vijay G. Deshpande, DIRM\n       David McDermott, DOA\n       Andrew Nickle, DOA\n       Mike MacDermott, OICM\n       Corrine Watts, OICM\n\n\n\n\n                                                 2\n\x0cII. Management Response to the Final Report\n\x0cFederal Deposit Insurance Corporation\n550 17th St. NW Washington DC, 20429                                                Division of Administration\n\n\n\n                                                     February 28, 2003\n\nTO:              Russell A. Rau\n                 Assistant Inspector General for Audits\n\nFROM:            Arleas Upton Kea\n                 Director\n\nSUBJECT: Final Report Entitled FDIC Procurement Credit Card Program\n\nThis responds to your memorandum dated January 31, 2003 which provided the final audit report\nfor the Procurement Credit Card Program and requested further management comments regarding\nour nonconcurrence with recommendations 2 and 3. These recommendations\nrequested DOA take action to define extravagant meals and refreshments as allowable or\nunallowable expenses for payment under the procurement card program and, further, that DOA\nprohibit the purchase of alcoholic beverages with the credit cards.\n\nAs stated in our January 24, 2003 management decision, we believe that the Acquisition Policy\nManual\xe2\x80\x99s policies and procedures sufficiently address the purchase of meals and refreshments and\nthat controls are in place to minimize potential risks to the Corporation. As was discussed at the\nrecent Audit Committee meeting, we appreciate your understanding that these recommendations\nshould not be directed at the Procurement Card Program, but rather towards FDIC\xe2\x80\x99s general\npolicy and practice governing food and beverage expenditures in the conduct of official business.\n\nTo resolve the outstanding audit recommendations related to these questioned expenditures, DOA\nagrees to lead a cross-organizational team to review existing corporate policy and practice related\nto the purchase of food and alcoholic beverages in the conduct of official business. The review is\nto be concluded by March 31, 2003 and we believe it will result in new corporate-wide policies\nand procedures, appropriate definitions, rules for use, and approval levels for these two types of\nexpenditures. The policies and procedures will be forwarded for management and OIG review by\nApril 15, 2003.\n\nIf you have any questions on this response, please contact David McDermott, Agency Program\nCoordinator for the Procurement Credit Card Program, on x23434.\n\x0cJanuary 31, 2003\nAudit Report No. 03-013\n\n\nFDIC Procurement Credit Card Program\n\x0c                        TABLE OF CONTENTS\n\n\nBACKGROUND                                                       2\n\nRESULTS OF AUDIT                                                 4\n\nCOMPLIANCE WITH EXISTING FDIC POLICIES                           5\n\n     Procurement Credit Cards Not Properly Safeguarded           5\n\n     Non-Compliance with FDIC Procurement Credit Card Policies   6\n\n           Recommendation                                        8\n\nPROCUREMENT CREDIT CARD FOR \xe2\x80\x9cEXTRAVAGANT MEALS\xe2\x80\x9d\nAND QUESTIONABLE BUSINESS PURPOSE                                8\n\n           Recommendations                                       10\n\nCANCELLATION OF PROCUREMENT CREDIT CARDS                         10\n\n           Recommendation                                        11\n\nISSUING PROCUREMENT CARDS AND REDUCING\nPROCUREMENT THRESHOLDS                                           12\n\n           Recommendations                                       12\n\nMANAGEMENT ASSESSMENT OF PROGRAM RISK                            12\n\n           Recommendation                                        13\n\n\nCORPORATION COMMENTS AND OIG EVALUATION                          13\n\nAPPENDIX I:SCOPE AND METHODOLOGY                                 18\n\nAPPENDIX II:      CORPORATION COMMENTS                           19\n\nAPPENDIX III:     MANAGEMENT RESPONSES TO\n                  RECOMMENDATIONS                                24\n\x0cTABLES\n\n    Table 1: Instances of Non-Compliance   7\n\n    Table 2: Analysis of Meal Costs        9\n\n\n\n\n                                      7\n\x0cFederal Deposit Insurance Corporation                                                                             Office of Audits\nWashington, D.C. 20434                                                                                Office of Inspector General\n\n\n\n   DATE:              January 31, 2003\n\n   TO:                Arleas Upton Kea, Director\n                      Division of Administration\n\n                      Fred S. Selby, Director\n                      Division of Finance\n\n\n\n   FROM:\n\n\n\n   SUBJECT:           FDIC Procurement Credit Card Program\n                      (Audit Report No. 03-013)\n\n   The Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\n   completed an audit of the FDIC\xe2\x80\x99s procurement credit card program. In May 2000, we issued\n   another audit report1 regarding the FDIC\xe2\x80\x99s procurement credit card program. Our May 2000 report\n   focused on an evaluation of established policies and procedures and administrative compliance\n   reviews performed by the FDIC\xe2\x80\x99s Division of Administration (DOA). DOA performed the\n   reviews of procurement credit card transactions to ensure compliance with the policies and\n   procedures. The audit showed that the FDIC adequately implemented those control activities, and\n   employees properly utilized the cards. In September 2001, we received a request from Senator\n   Charles E. Grassley, Ranking Minority Member, U.S. Senate Committee on Finance, regarding the\n   FDIC\xe2\x80\x99s use of government charge cards. We undertook two additional audits in response, one\n   related to the FDIC\xe2\x80\x99s travel card program2 and the subject review related to the Corporation\xe2\x80\x99s\n   procurement credit card program. The objective of our current audit was to determine whether the\n   FDIC had implemented effective internal control3 over its procurement credit card program to\n   reduce the risk of improper procurement credit card usage. Appendix I provides details of our\n   scope and methodology.\n\n\n\n\n   1\n     FDIC OIG Audit Report No. 00-015, Audit of the Corporation\xe2\x80\x99s Procurement and Travel Card Programs, dated\n   May 24, 2000.\n   2\n     FDIC OIG Audit Report No. 02-030, FDIC Travel Card Program, dated August 30, 2002.\n   3\n     The five standards for internal control in the federal government as prescribed by the U.S. General Accounting Office\n   (GAO) in Standards for Internal Control in the Federal Government (GAO/AIMD-00-21.3.1, November 1999) are:\n   (1) the control environment, (2) risk assessment, (3) control activities, (4) information and communications, and (5)\n   monitoring. These standards provide a general framework. In implementing these standards, management is\n   responsible for developing the detailed policies, procedures, and practices to fit their agency\xe2\x80\x99s operations and to ensure\n   that they are built into and an integral part of operations.\n\x0cBACKGROUND\n\nIn an effort to streamline the procurement process for low dollar goods and services, the\nGeneral Services Administration (GSA) initiated the Government-Wide Credit Card Program.\nThe Government-Wide Credit Card Program allows appropriately authorized federal\nemployees to make official government purchases using a procurement credit card. The\nprogram was designed to reduce the administrative timeframes and costs generally associated\nwith low dollar value procurements.\n\nThe GSA awarded contracts to various banks to provide the procurement credit card services\nfor federal agencies. Each participating agency was permitted to select a bank to provide its\ncredit card services. The FDIC elected to participate in the credit card program and selected the\nBank of America. Each month the Bank of America provides the FDIC with a billing\nstatement reflecting all procurement credit card purchases.\n\nIn order to provide guidelines for conducting its credit card program, the FDIC developed the\nFDIC Acquisition Policy Manual (APM), Section 9.E., entitled FDIC Procurement Credit\nCard Program. The policy describes control activities, the roles and responsibilities of\nindividuals and the FDIC offices that conduct the program, guidelines for credit card usage,\npurchase limits, and administrative procedures such as how to request a card. Key roles within\nthe FDIC\xe2\x80\x99s procurement credit card program include the Agency Program Coordinator (APC)\nwithin DOA, Approving Officials (AO), Cardholders, and Accounting Contacts. The APC\nserves as the liaison to the Bank of America, and GSA and is responsible for oversight and\nadministration of the FDIC program nationwide. Also, the APC develops program policies,\nprovides clarification and guidance to program participants, and is responsible for reporting\nprogram activities to FDIC executive management.\n\nAOs are representatives of an FDIC division or office who are responsible for reviewing and\napproving all charges incurred by cardholders. According to the APM, AOs are responsible for\nperiodically reviewing purchase receipts in conjunction with the approval of the monthly\nstatements; verifying proper documentation; assisting with the resolution of disputed items,\nwhen necessary; and ensuring compliance with the FDIC billing office\xe2\x80\x99s requirements for\nstatement verification and approval and cardholders exceeding established monthly\nprocurement limits. The APM requires AOs to ensure that the cardholder maintains complete\nrecords of all credit card charges, including the original monthly billing statement, charge slips,\nand original receipts. In addition, the APM requires AOs to review purchase receipts to ensure\nthat cardholders do not split purchases to circumvent their single purchase limit and the\ncombined charges of cardholders do not exceed established monthly procurement limits.\nThe APM also provides guidelines for cardholders. AOs designate cardholders and the APC\napproves the designation. Cardholders make purchases for their respective FDIC office or\ndivision and are responsible for:\n\n\xe2\x80\xa2   maintaining physical security of their card and safeguarding the credit card account\n    number;\n\xe2\x80\xa2   ensuring that the card is used solely for official FDIC business, in accordance with FDIC\n    policy;\n\n\n                                                2\n\x0c\xe2\x80\xa2   obtaining fair and reasonable prices for all purchases and ensuring that the prices do not\n    include sales taxes;\n\xe2\x80\xa2   maintaining sufficient documentation and descriptions to justify card charges; and\n\xe2\x80\xa2   verifying the accuracy of the charges reflected on their monthly billing statements from the\n    Bank of America.\n\nAnother function involved in the FDIC\xe2\x80\x99s procurement credit card program is the Accounting\nContact. AOs designate an Accounting Contact for their FDIC division or office. The\nAccounting Contact assists with the payment process by reconciling the cardholder\xe2\x80\x99s record of\npurchases to the monthly cardholder statement of credit card charges from the Bank of America\nand preparing an Excel spreadsheet. The spreadsheet contains all the purchasing information\nduring the billing cycle, and the Accounting Contact provides this information to the FDIC\nDivision of Administration\xe2\x80\x99s Acquisition and Corporate Services Branch, Acquisition Section.\n The Acquisition Section prepares a Purchase Authorization Voucher and forwards this voucher\nto the Division of Finance for final payment to the Bank of America for items or services\nprocured.\n\nThe FDIC\xe2\x80\x99s APM also establishes procurement thresholds. The maximum single purchase\nlimit for any cardholder is $5,000 unless approved by the APC. In addition, according to the\nAPM, the monthly procurement limit for a cardholder is $50,000 unless a higher amount is\napproved by the APC. However, in practice, many cardholders have thresholds of $2,500 for a\nsingle purchase and $25,000 monthly. As the procurement credit card program has evolved,\nthe APC has approved higher thresholds for certain cardholders. These thresholds range from\n$25,000 for single and $150,000 for monthly purchases to $250,000 for single and $1,000,000\nfor monthly purchases.4\n\nIn addition to the above guidelines, the APM describes the types of purchases that are\nacceptable and those that are prohibited. Some examples of acceptable purchases include:\nbuilding repairs, equipment purchases, external training courses, membership fees and\nassociation dues, advertising, carpet repair, and non-monetary awards. Some examples of\nprohibited purchases include official travel expenses, rental or lease of buildings,\ntelecommunications services, artwork, and computer software/hardware warranties.\nAdditionally, only cardholders in the FDIC Division of Information Resources Management\n(DIRM) are authorized to procure information resources management goods and services.\n\nThe FDIC\xe2\x80\x99s procurement credit card program has over 500 cardholders. For the 2-year period\nbeginning January 1, 2000, purchases made as part of the procurement card program totaled\napproximately $15 million. Given this level of usage, the Corporation uses internal control\nprocedures to ensure proper procurement credit card usage and assist in preventing and\ndetecting fraud, abuse, and errors. For example, it has established controls for spending\nthresholds and responsibilities of all parties involved in the program.\n\n\n\n4\n Only one FDIC employee, the Chief, Administration Contracting Group, has a threshold of $250,000 for single and\n$1,000,000 for monthly purchases.\n\n\n                                                        3\n\x0cToward the end of our audit fieldwork, the President\xe2\x80\x99s Council on Integrity and Efficiency,\ncomposed of presidentially appointed Inspectors General (IG), and the Executive Council on\nIntegrity and Efficiency, mainly composed of the IGs who are appointed by agency heads,\nissued A Practical Guide for Reviewing Government Purchase Card Programs. This guide\nalso incorporates the GAO Control Standards, and we used it as a reference in conducting our\nreview.\n\n\nRESULTS OF AUDIT\n\nInternal control over the Corporation\xe2\x80\x99s procurement credit card program was not fully effective. In\nline with the GAO\xe2\x80\x99s standards for internal control, the FDIC took action to foster an environment\nfor proper use of procurement cards by establishing and communicating formal policies,\nprocedures, and approval processes to reduce the risk of improper use of the card. However, we\ndetermined that FDIC employees were not always fully complying with established policies,\nprocedures, and control activities, and in some cases the policies and procedures needed\nreinforcement, modification, or clarification. It is important to note that individual deficiencies\nwere not material; however, collectively, they represent systemic weaknesses that increase the risk\nof misuse. For example, in some cases procurement credit cards and numbers were not properly\nsafeguarded, employees were able to circumvent purchase limits, some purchases lacked\nsupporting documentation, and employees at times incurred sales taxes although the APM\nspecifically prohibits paying these charges. Also, in the absence of clear policies and procedures,\nextravagant meals and alcoholic beverages 5were purchased with procurement credit cards, as well\nas other purchases that may not qualify as \xe2\x80\x9cofficial business.\xe2\x80\x9d\n\nThe FDIC could strengthen its procedures for monitoring and overseeing the effectiveness of the\nprocurement card program. The FDIC does not have effective procedures for canceling the cards\nfor employees departing the FDIC, and in several cases, former employees continued to have credit\ncard privileges even after their departure from the Corporation. In addition, the FDIC did not\nperform analyses on a regular basis to determine whether cardholders are using the procurement\ncredit card and have a business need for the card. Some employees in our sample were issued\ncards but rarely used them, increasing the risk of misuse or undetected loss of the procurement\ncredit card. Finally, procurement cardholders had spending limits that exceeded their normal\npurchase activity, and limits were not reviewed to ensure they reflected the extent of spending that\nusers were likely to incur. As a result, the FDIC procurement credit card program is more\nvulnerable to fraud and misuse.\n\nThe Corporation has not conducted a formal risk analysis to identify specific types of\nvulnerabilities and steps to address them, such as training, revisions to policy, and other means of\ncommunicating information on the proper use of the card. The risk analysis is another suggested\ncomponent of GAO\xe2\x80\x99s standards for internal control.\n\n\n\n\n5\n  It should be noted that no regulatory or contractual prohibitions are in effect for the FDIC with respect to the purchase\nof alcoholic beverages.\n\n\n                                                            4\n\x0cCOMPLIANCE WITH EXISTING FDIC POLICIES\n\nFDIC employees responsible for conducting procurement credit card functions did not consistently\nsafeguard the cards or comply with other existing FDIC policies and procedures. For example,\ncardholders\n\xe2\x80\xa2 allowed other FDIC employees to use their card to purchase goods and services for the\n    Corporation,\n\xe2\x80\xa2 circumvented charge card limits by splitting purchases,\n\xe2\x80\xa2 did not retain required documentation,\n\xe2\x80\xa2 purchased items that should have only been purchased by employees of authorized divisions,\n    and\n\xe2\x80\xa2 paid sales taxes although prohibited.\n\nThe GAO\xe2\x80\x99s Internal Control Management and Evaluation Tool recommends control activities such\nas training to help employees understand their roles and responsibilities. However, the FDIC had\nnot established an ongoing training program for employees involved in the Corporation\xe2\x80\x99s\nprocurement credit card program. Non-compliance can result in credit card abuses or losses to the\nFDIC.\n\nProcurement Credit Cards Not Properly Safeguarded\n\nProcurement cardholders allowed other employees who were not authorized to purchase goods or\nservices for the FDIC. FDIC APM 9.E.4.c (2) states that cardholders are designated by the AO and\napproved by the APC to make purchases for their respective division location accounts through the\nuse of their procurement credit cards. These cardholders are responsible for the physical security of\ntheir card and for safeguarding the credit card account number. We identified four cardholders\nworking in DIRM who allowed other DIRM employees to purchase goods and services for the\nFDIC using the cardholder\xe2\x80\x99s procurement credit card. One of the four DIRM employees who had a\nprocurement credit card issued to him, with thresholds of $5,000 per transaction and $50,000\nmonthly, allowed several other DIRM employees to charge goods and services on the card. The\nprocurement cardholder provided the credit card number to these individuals to use in making\npurchases. When these individuals made purchases, the transactions would be recorded on the\nmonthly bill of the cardholder. The cardholder would then request receipts from the employees\nwho were making the purchases. Once the cardholder received the receipts, the cardholder would\nreview the charges and forward the bill and receipts to the approving official who later approved all\nthe charges.\n\nThe DIRM cardholders stated that it was a business decision to limit the number of physical\nprocurement credit cards issued in DIRM so that only higher ranking employees received a card to\npurchase goods or services. However, the cardholders provided subordinates with the card number\nand permitted them to make purchases. It should be noted that the DIRM employees making the\npurchases were doing so as a standard part of their work requirements. However, by allowing\nmultiple employees to use the procurement card and exposing the account number, the FDIC\nemployees increased the risk of an individual accessing the credit card privileges and improperly\npurchasing items. The Agency Program Coordinator, Acquisition Services Branch, DOA, needs to\nensure that all procurement credit card holders are aware of not allowing other FDIC employees to\n\n\n                                                 5\n\x0cuse their procurement credit cards. In addition, cardholders need to be aware of the importance of\nmaintaining security of the credit card itself and the credit card number.\n\nDuring our audit, we notified DOA of this matter, and DOA initiated three actions. First, DOA\nauthorized additional procurement credit cards for the DIRM employees who were responsible for\nmaking purchases. This facilitated tracking and accounting for the credit cards and card activity.\nSecond, DOA issued a notice to procurement credit card program participants, reinforcing the\nCorporation\xe2\x80\x99s policy on the authorized use of the procurement credit card and reminding\ncardholders of the critical importance of adhering to the policy. Third, DOA cancelled the credit\ncard privileges for the DIRM employee whose credit card number was widely distributed to other\nemployees.\n\nNon-Compliance with FDIC Procurement Credit Card Policies\n\nWe noted multiple instances of non-compliance with procurement credit card policies. The\nFDIC\xe2\x80\x99s APM prohibits activities such as splitting purchases to circumvent spending limits,\nrequires rotating sources to preclude repeated acquisitions from the same vendor, and requires\nresponsible employees to maintain documentation to support their purchases. In addition, the\npolicy restricts the purchase of certain items such as books, office supplies, and information\nresources management goods and services to only cardholders in designated FDIC divisions and\nstates that procurement credit card charges are not subject to sales taxes.\n\nTwenty-five of 30 cases (84 percent) in our audit sample involved at least one instance where an\nemployee did not comply with established requirements. In 7 of the 30 cases, there were 3 or more\ninstances of non-compliance. Among these, there were instances of splitting purchases that\ncircumvented procurement credit card spending limits. Split purchases can also limit competition\nfor procurements. Not adhering to the Corporation\xe2\x80\x99s guidelines increases the risk of improper\nprocurement card usage, paying excessive prices, erroneous payments, or fraudulent purchases.\n\nTable 1 shows the types of non-compliance and the number of cardholders for each type.6\n\n\n\n\n6\n    Some cardholders had multiple instances of non-compliance.\n\n\n\n                                                          6\n\x0cTable 1: Instances of Non-Compliance\n\n\n                                                                                            Potential\nType of Non-Compliance                                    Number of Cardholders              Risks\n\nNo Supporting Receipts/ Charges Not Properly                       10                 Unauthorized purchases\nDocumented\n\nPaid Sales Taxes                                                   10                     Excessive costs\n\n\nUnresolved disputed amounts                                        2                      Excessive costs\n\n\nUse of Card or Card Number by Employees Other                      6\nThan Cardholder                                                                       Unauthorized purchases\n\nSplit Purchases/Multiple Purchases from Same Vendor                2               Excessive costs due to lack of\n                                                                                           competition\n                                                                                         Excessive costs/\nInappropriately Purchased Restricted Equipment                     1                 Unauthorized purchases\n\nVarious Other Types of Non-Compliance (example-                    8                     Excessive costs/\nexceeding non-monetary award limits)                                                  Unauthorized purchases\nSource: OIG analysis of cardholder records.\n\nThe Corporation does not have an ongoing training program for all procurement cardholders,\napproving officials, and accounting contacts. Rather, management stated that in the past, training\nhas been provided to cardholders on an inconsistent basis. Specifically, in 1996 and 1997\nmandatory briefings were held for program participants. In addition, in 2001, briefings were held\nfor cardholders with increased thresholds. However, this training has not been provided on a\nregular basis to all cardholders nor have the policies been reiterated to cardholders periodically.\nPeriodic training is a control activity that provides a level of assurance that employees understand\ntheir responsibilities, particularly those regarding procurement card usage.\n\nIn order to ensure that agencies implement adequate systems of internal control over their\nprograms, the U.S. General Accounting Office issued Standards for Internal Control in the\nFederal Government (Control Standards). Those standards provide a basic framework for\nagencies to assess the risks they face and to determine internal control activities necessary to\nmitigate those risks. Internal control activities may vary from agency to agency depending\nupon such factors as risk. However, the GAO\xe2\x80\x99s Internal Control Management Evaluation Tool\n(GAO-01-1008G, August 2001), which is based on the Control Standards, recognizes that the\neffective management of an organization\xe2\x80\x99s workforce, its human capital, is a common internal\ncontrol activity. Specifically, according to GAO, management should provide employees with\nthe necessary orientation and training to perform their duties and responsibilities and meet the\ndemands of changing organizational needs. As noted in Table 1, the high incidence rate of\nnon-compliance with FDIC procurement credit card\n\n\n                                                      7\n\x0cpolicies increases significantly the risk to the Corporation of unauthorized purchases and\nexcessive costs, including those caused by a lack of price competition.\n\nRecommendation\n\nWe recommend that the Director, DOA:\n\n(1) Provide periodic training to procurement cardholders and approving officials in order to\n    reiterate the policies and procedures governing the procurement credit card program. The\n    policies over roles and responsibilities; security over the card; procurement thresholds;\n    permissible, prohibited, and restricted use; supporting documentation requirements; repeated\n    acquisitions from the same vendor (split purchases); refreshment/meal requirements; payment\n    of sales taxes; and procedures for card usage should be reinforced.\n\n\nPROCUREMENT CREDIT CARD USED FOR \xe2\x80\x9cEXTRAVAGANT MEALS\xe2\x80\x9d AND\nQUESTIONABLE BUSINESS PURPOSE\n\nIn a very limited number of cases, procurement credit cards were used for meals and refreshments\nthat could be considered \xe2\x80\x9cextravagant\xe2\x80\x9d and where the business purpose was questionable based on\nexisting FDIC policy. Also, in one case the approving official for a cardholder was a subordinate.\nWhile limited, each of these instances evidences the lack of clear FDIC policy guidance on aspects\nof the procurement credit card program that can result in increased costs to the FDIC.\n\nAlthough the FDIC\xe2\x80\x99s APM prohibits purchases of extravagant meals, it does not define the term\n\xe2\x80\x9cextravagant.\xe2\x80\x9d For comparative purposes to judge the extravagance, we used the FDIC\xe2\x80\x99s policies\nfor reimbursing meals of employees while in a travel status. The FDIC reimburses employees\n$22 per day for dinner and $11 per day for lunch expenses for the geographic locations we\nreviewed. For analytical purposes, we considered expenditures that were double the travel\nreimbursement rates or greater to be extravagant, i.e., $44 or more for dinner and $22 or more for\nlunch. In instances noted, the employees charged meals that exceeded our baseline by as much as\n3 times that amount. These charges also included alcoholic beverages, which is an expense that the\nFDIC does not reimburse employees for under its general travel policies.7 Table 2 provides a\ncomparison of the cost of the meals versus our baseline amount for analytical purposes.\n\n\n\n\n7\n    FDIC\xe2\x80\x99s General Travel Regulations, Travel Regulations Overview, Nonreimbursable Expenses.\n\n\n                                                         8\n\x0cTable 2: Analysis of Meal Costs\n\n                                                                                   OIG BASELINE\n                                                                                   (2 TIMES PER\n                                              NUMBER OF         PRICE PER           DIEM RATE)\n  OCCASION              TOTAL PRICE           EMPLOYEES          PERSON\n\n1 \xe2\x80\x93 Conference\n    Dinner                     $3,886            76                  $51                  $44\n\n2 \xe2\x80\x93 Conference\n    Dinner                     $2,238            17                  $132                 $44\n\n\n3 \xe2\x80\x93 Lunch                       $119              3                  $40                  $22\nSource: OIG analysis of cardholder records.\n\nExample 1 reflects the cost of dinner and drinks, including alcoholic beverages, for a meal\nassociated with an FDIC conference. In example 2, although drinks were included in the price, we\nwere unable to determine whether alcohol was purchased based on review of the bill which did not\nfurther break down the charges. Example 3 in the above table represents a purchase at a\nWashington, D.C. restaurant where the cardholder used his procurement credit card to buy lunches\nfor a total of three FDIC employees. The cardholder intended the purchase as an appreciation or\nfarewell gesture for one of the attendees. The bill included charges for alcoholic beverages. In\naddition to the cost of the lunch being almost twice the reimbursable lunch per diem rate for\nWashington, D.C. of only $22, we question the business purpose of the lunch. Existing FDIC\npolicy is unclear on whether this is an official FDIC business expense. Rather than the\nCorporation paying for meals of employees leaving the FDIC, this type of more personal expense\ncould be paid for by the attendees of the farewell lunch.\n\nThe FDIC\xe2\x80\x99s APM states that the procurement cards can be used for refreshments and meals as long\nas the purchase is non-extravagant and used during the ordinary course of official FDIC business\nconferences, meetings, luncheons, dinners, or other functions. However, the manual does not\nfurther define \xe2\x80\x9cofficial FDIC business.\xe2\x80\x9d The examples stated above appear to be extravagant in\nnature when reviewing the cost per person and comparing the amount to the reimbursable per diem\nrate for an employee on official travel. In addition, the Corporation should only pay for charges\nthat are business-related and benefit the Corporation. For example, credit card charges to celebrate\nbirthdays, retirements, holidays or other special personal celebrations should be prohibited.\n\nAdditionally, although the APM does not specifically prohibit the purchase of alcoholic beverages\nusing the procurement credit card, the FDIC\xe2\x80\x99s travel policies provide guidelines concerning\nreimbursable employee expenses. Those guidelines prohibit the reimbursement of employees for\npurchases of alcoholic beverages. In addition, FDIC\xe2\x80\x99s Circular 2500.3, FDIC-Sponsored\nGovernment Travel Card Program, states that the travel card is to be used only for official travel-\nrelated services. Because the purchase of alcohol is not an allowable travel reimbursement, the\ntravel card should not be used for these types of purchases. Further, the FDIC\xe2\x80\x99s travel card has a\n\n\n                                                 9\n\x0cblock on purchases made at package stores for items including beer, wine, and liquor. Therefore,\nin our opinion, permitting the purchase of alcoholic beverages using the procurement card is\ninconsistent with travel card policies, could adversely impact the public\xe2\x80\x99s perception of the\nCorporation and its employees, and could pose related liability issues to the Corporation.\n\nFinally, the approving official for the cardholder who purchased the meals totaling $2,238 was\nthe cardholder\xe2\x80\x99s subordinate. It is not a good business practice to have the approving official\nas a subordinate to the cardholder because the cardholder can exercise influence over the\napproving official. The current APM is silent on this issue. Modifying the manual to preclude\nan approving official being subordinate to the cardholder can help deter misuse of procurement\ncredit cards.\n\nRecommendations\n\nWe recommend that the Director, DOA, use the FDIC\xe2\x80\x99s Acquisition Policy Manual, Chapter 9, to:\n\n(2) Define extravagant meals and refreshments and what constitutes an allowable and unallowable\n    expense for meal purchases using the procurement credit card.\n\n(3) Prohibit the purchase of alcoholic beverages using the procurement credit card.\n\n(4) Require approving officials not be subordinates to the cardholders for whom they approve\n    purchases.\n\n\nCANCELLATION OF PROCUREMENT CREDIT CARDS\n\nThe FDIC did not cancel procurement cards timely for employees departing FDIC employment.\nSpecifically, the procurement card was not canceled timely for six of eight former employees in the\nsample we reviewed. The FDIC canceled the cards from 3 to 104 days after the employee was no\nlonger employed by the Corporation. This occurred because the FDIC did not follow the guidelines\nin its APM and the FDIC lacked adequate pre-departure clearance procedures for employees\ndeparting FDIC employment. Untimely cancellation increases the risk that former employees or\nothers who may have access to the account number may make unauthorized purchases.\n\nThe APM Section 9.E.6.e, Procurement Credit Card Program \xe2\x80\x93Resignation or Reassignment of\nCardholder or Approval Official, requires that when a cardholder leaves the FDIC or moves to\nanother FDIC location, the APC, or his/her designee, must be immediately notified. Before a\ncardholder\xe2\x80\x99s departure from his/her office, the AO must ensure that the credit card is retrieved from\nthe cardholder and destroyed. The APC, or his/her designee, should notify the Bank of America,\nand the account will be closed.\n\nBecause the FDIC has reorganized and reduced staffing levels corporate-wide, many individuals\nhave left or will be leaving the Corporation. Improvements are needed to cancel procurement credit\ncards when individuals leave either permanently or to relocate. One additional means of\nstrengthening controls is to revise Circular 2150.1, Pre-Exit Clearance Procedures for FDIC\n\n\n                                                 10\n\x0cEmployees, specifically the Pre-Exit Clearance Record for Employees. During the period of our\nreview, the circular did not incorporate the requirement in APM 9.E.6.e regarding retrieval of the\ncredit card from relocating or departing employees. Subsequent to our review, the FDIC revised\nthe circular to include the procurement credit card as an item for collection, and the circular now\ndescribes specific actions that need to be taken for departing employees holding the procurement\ncredit cards. During the course of our review, we discussed this matter with DOA and issued a\nmemorandum to advise the Director, DOA, of the weakness in the procurement credit card\ncancellation process.\n\nOn July 3, 2002, DOA issued a notice to all credit card approving officials and administrative\nofficers to highlight the corporate policies pertaining to exiting and relocating employees. The\nnotice also stated that due to the FDIC\xe2\x80\x99s ongoing reorganization and number of people leaving the\nCorporation under the buyout program, approving officials were requested to provide a list of all\nprocurement cardholders currently under their authority. Further, the notice communicated the new\nprocedures contained in Circular 2150.1, Pre-Exit Clearance Procedures for FDIC Employees.\nDOA issued the Circular in final on September 17, 2002. The revised circular includes the\nfollowing added control activities:\n\n\xe2\x80\xa2   The procurement credit card and corresponding convenience checks are listed on the Pre-Exit\n    Clearance Record for Employees form as items that need to be returned to the FDIC.\n\n\xe2\x80\xa2   Administrative officers are required to obtain the employee\xe2\x80\x99s FDIC procurement credit card;\n    any remaining convenience checks; and cardholder file, including receipts for outstanding\n    charges, before the last day of official duty. The administrative officer must also notify the\n    APC of the cardholder\xe2\x80\x99s effective date of departure, destroy and dispose of the cardholder\xe2\x80\x99s\n    procurement card and convenience checks upon receipt of cancellation information from the\n    APC, and return the cardholder file to the APC with any outstanding receipts.\n\nImplementation of the control activities mentioned above will reduce the risk of improper\nprocurement credit card usage by former employees. However, canceling a cardholder\xe2\x80\x99s card and\nconvenience checks in a more timely manner, specifically, as soon as employees provide notice\nthat they will leave FDIC employment or in cases where they relocate and will no longer be in\npositions requiring use of the card, will further strengthen internal control. This measure should\nhelp reduce the risk of any unauthorized purchases by the cardholder between the time that notice\nis provided to the FDIC and the actual departure or transfer date and ensure that the procurement\ncredit card is canceled prior to the employee\xe2\x80\x99s actual departure or transfer.\n\nRecommendation\n\nWe recommend that the Director, DOA:\n\n(5) Enforce APM Section 9.E.6.e by reminding cardholders/approving officials of the requirement\n    to immediately notify the APC, or his/her designee when the cardholder/approving official\n    either leaves the FDIC or moves to another FDIC position so that the APC can notify the Bank\n    of America to cancel the card.\n\n\n\n                                                 11\n\x0cISSUING PROCUREMENT CARDS AND REDUCING PROCUREMENT\nTHRESHOLDS\n\nMany FDIC procurement cardholders were only using the card for a limited amount of activity. In\naddition, procurement cardholders had spending limits that exceeded their normal purchase\nactivity. For instance, 79 cardholders used the card five times or fewer during a 2-year period. One\nof those cardholders had a single purchase limit of $250,000 and another had a limit of $100,000.\nThe highest dollar amount that these individuals spent during a 2-year period was $98,490 and\n$1,833, respectively. The FDIC had not reviewed cardholder purchase records to assess\ncardholder inactivity and excessive spending limits. The GAO\xe2\x80\x99s Internal Control Management\nand Evaluation Tool suggests that the risk of unauthorized use be controlled by restricting access.\nExcessive access to procurement credit card privileges increases the risk of unauthorized usage.\nLimiting access to credit card privileges is an essential internal control activity.\n\nThe Director of the Office of Management and Budget (OMB) recognized the importance of\ninternal control in the federal government\xe2\x80\x99s credit card program and issued OMB Memorandum\nM-02-05, dated April 18, 2002, suggesting that agencies prepare remedial action plans for their\nprograms. Specifically the memorandum states \xe2\x80\x9cYour plans should also include an examination of\nthe number of cards issued at your agency. One step that may prove useful would be to deactivate\nall current cards and reactivate them selectively for a smaller number of cardholders, based on\ndemonstrated necessity.\xe2\x80\x9d By examining the number of cards issued and the related thresholds, the\nFDIC may be able to preclude unnecessary access to credit card privileges and reduce the risk of\nunauthorized card usage.\n\nRecommendations\n\nWe recommend that the Director, DOA:\n\n(6) Perform an analysis on a regular basis to determine whether cardholders are using the card. If\n    a cardholder is not using the card on a fairly regular basis, consider canceling the card\n    privileges.\n(7) Review the spending limits for all cardholders and ensure that the limits reflect the extent of\n    spending that they are likely to incur.\n\nMANAGEMENT ASSESSMENT OF PROGRAM RISK\n\nManagement can enhance its assessment of procurement card program risk by conducting a risk\nassessment. Notwithstanding establishment of an overall control environment, including policies\nand procedures to address the risk of improper use of the card, the Corporation has not conducted a\nformal risk analysis that may have identified specific types of vulnerabilities and steps to address\nthem. DOA does engage in periodic Administrative Compliance Reviews (ACR) of procurement\ncredit card use. These reviews examine the appropriateness of procurement credit card use and\nsupport for purchases made after the fact. However, without first devising a thorough plan for risk\nmanagement over the entire procurement card program, these reviews may be a less effective\ncontrol than they could be. For example, a risk assessment could identify vulnerabilities that are\nnot presently tested using the ACRs. Additionally, lack of an overall risk assessment may have\n\n\n                                                 12\n\x0climited DOA from establishing all other necessary control activities. This absence of risk\nidentification may make the Corporation\xe2\x80\x99s procurement credit card program vulnerable to\nincreased misuse.\n\nAccording to GAO\xe2\x80\x99s Standards for Internal Control, a risk assessment is an integral component of\nthe entity\xe2\x80\x99s internal control system. GAO states that management has to formulate an approach for\nrisk management and decide upon the internal control activities required to mitigate those risks and\nachieve the internal control objectives of efficient and effective operations. Review of both\ninternal and external risks involved in a program facilitates the design of effective internal control\nactivities.\n\nSuch an assessment of the FDIC procurement credit card program could have helped identify a\nneed for increased emphasis on compliance and training, better clarity of policies, appropriateness\nof purchase thresholds, more timely cancellation of cards, and other means of communicating\ninformation on the proper use of the card. Absent full awareness of the risks, management controls\nwere not as effective as they could have been and the program as a whole was more vulnerable.\n\nRecommendation\n\nWe recommend that the Director, DOA:\n\n(8) Conduct a risk assessment of the procurement card program and establish the necessary control\n    activities to mitigate the risks identified.\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn January 24, 2003, the DOA Director provided a written response to the draft report. The\nresponse is presented in Appendix II to this report. In its written response, DOA management\nconcurred with recommendations 1, 4, 5, 6, 7, and 8. These recommendations are considered\nresolved but will remain undispositioned and open until we have determined that agreed-to\ncorrective actions have been completed and are effective. DOA management did not concur with\nrecommendations 2 and 3, suggest acceptable alternative actions, or provide information that\nwould convince us to revise either of the two recommendations. Because these two\nrecommendations remain unresolved, undispositioned, and open, we are requesting DOA to\nreconsider its response to our report and provide us additional comments. DOA\xe2\x80\x99s responses to the\nrecommendations are summarized below along with our evaluation of the responses.\n\nRecommendation 1: Provide periodic training to procurement cardholders and approving\nofficials in order to reiterate the policies and procedures governing the procurement credit\ncard program. The policies over roles and responsibilities; security over the card;\nprocurement thresholds; permissible, prohibited, and restricted use; supporting\ndocumentation requirements; repeated acquisitions from the same vendor (split purchases);\nrefreshment/meal requirements; payment of sales taxes; and procedures for card usage\nshould be reinforced.\n\nDOA concurs with this recommendation. Subsequent to the end of our fieldwork in September\n\n\n                                                 13\n\x0c2002, DOA completed an online procurement credit card training module in December 2002\nwhich will be available to program participants by the end of January 2003. The program\xe2\x80\x99s\ntraining policy is also being revised and will require all new cardholder applicants to take the\ncourse and receive a passing score prior to receiving the procurement credit card. Completion of\nthe training module will be recorded in the FDIC training server, and the APC will have access to\nthe training server to monitor cardholders\xe2\x80\x99 completion of the required training module. Existing\ncardholders will also be required to take periodic training to refresh cardholders on their roles and\nresponsibilities under the program.\n\nIn our view, the efforts made to date by DOA to have an online training program available to all\nprocurement cardholders will improve the overall effectiveness of the program. Tracking the\ncompletion of the training for cardholders by the APC will also improve controls. In addition, to\nclarify a statement made in DOA\xe2\x80\x99s response, the OIG reviewed 30 cardholders from a population\nof 132 cardholders who engaged in at least $1,000 of purchases during the last quarter of 2001. In\ntotal, there were 780 credit card transactions for the 30 cardholders for this period. DOA stated in\nits response that there were 6,188 credit card transactions; however, this total reflects transactions\nduring calendar years 2000 and 2001. The difference in the number of transactions used by DOA,\n6,188 versus 780 in the OIG sample, increases the error rate from 1 percent as computed by DOA\nto approximately 9 percent.\n\nThis recommendation is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nRecommendation 2: Define extravagant meals and refreshments and what constitutes an\nallowable and unallowable expense for meal purchases using the procurement credit card.\n\nDOA does not concur with this recommendation. DOA stated that the focus should not be on\ncreating a definition for extravagant, but should instead be directed on the adequacy of the internal\ncontrols that govern approval. DOA does not consider that the examples cited by the OIG meet the\nintent of the definition of extravagant. DOA believes that the APM sufficiently addresses the\npurchase of meals and refreshments in a manner that minimizes potential risks to the Corporation.\nSpecifically, the purchase of all refreshments and meals must be approved in advance and in\nwriting at the Assistant Director-level or above in headquarters or the Regional Director/Regional\nManager in the field. The current practice elevates the approval process to an executive level\nmanager who has the ability to use discretion as circumstances warrant. DOA believes this high\nlevel of advanced written approval serves as an adequate internal control as it pertains to the use of\nthe procurement card for refreshments. Further, DOA stated that for each of the exceptions noted\nin the OIG report, proper approval was obtained.\n\nThe pre-approval process alone will not result in consistent application of approved expenses\nthroughout the Corporation if the Corporation does not further define in the APM extravagant\nmeals and refreshments and what constitutes an allowable and unallowable expense for meal\npurchases. As cited in our examples, and from DOA\xe2\x80\x99s response, individuals have different\ndefinitions of extravagance and different opinions on the allowability of meal purchases. For\nexample, the OIG considers that spending $132 per person for a meal and drinks is extravagant.\nAlso, the Corporation should not be paying for the going away lunch for employees leaving the\n\n\n                                                  14\n\x0cFDIC. This type of expense should be paid by the attendees of the farewell lunch. By defining\nboth extravagant and what constitutes an allowable and unallowable expense for meal purchases,\nthe FDIC can better control costs charged to procurement cards. Further, the OIG did not see\nevidence that prior written approval was obtained for the three exceptions noted in the report.\nBecause this recommendation is unresolved, undispositioned, and open, we have requested DOA\nto reconsider its response to our report and provide us additional comments.\n\nRecommendation 3: Prohibit the purchase of alcoholic beverages using the procurement\ncredit card.\n\nDOA does not concur with this recommendation. DOA stated as with recommendation 2, above,\nthat appropriate controls are in place and alcohol may only be purchased using the procurement\ncredit card under these circumstances and controls. The current practice elevates the approval\nprocess to an executive level manager who has the ability to use discretion as circumstances\nwarrant. Other than this approval process, alcohol may not be purchased using the procurement\ncredit card.\n\nThe OIG\xe2\x80\x99s position is that the APM, Chapter 9, should prohibit the purchase of alcoholic\nbeverages using the procurement credit card. Permitting the purchase of alcoholic beverages is\ninconsistent with travel card policies, could adversely impact the public\xe2\x80\x99s perception of the\nCorporation and its employees, and could pose related liability issues to the Corporation. Also,\nbecause individuals have different viewpoints on the use of alcohol, policy prohibiting the\npurchase of alcohol using the procurement credit card would provide consistency throughout the\nCorporation.\n\nBecause this recommendation is unresolved, undispositioned, and open, we have requested DOA\nto reconsider its response to our report and provide us additional comments.\n\nRecommendation 4: Require approving officials not be subordinates to the cardholders for\nwhom they approve purchases.\n\nDOA concurs with this recommendation. DOA agrees that an approving official should not be a\nsubordinate to a cardholder for whom they approve purchases. To address this issue, by the first\nquarter of 2003, DOA will incorporate language into procurement credit card policy that clearly\narticulates the requirements of the approving official/cardholder relationship before issuance of a\nprocurement credit card.\nThis recommendation is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nRecommendation 5: Enforce APM Section 9.E.6.e by reminding cardholders/approving\nofficials of the requirement to immediately notify the APC, or his/her designee when the\ncardholder/approving official either leaves the FDIC or moves to another FDIC position so\nthat the APC can notify the Bank of America to cancel the card.\n\nDOA concurs with this recommendation. DOA recently issued interim guidance to the\n\n\n                                                 15\n\x0cCorporation that addressed cancellation of the procurement credit card during the pre-exit\nclearance process. In addition, subsequent to issuing this interim guidance, the Pre-Exit Clearance\nCircular was updated with the revised requirements. This also included updating the Pre-Exit\nClearance Form to require the administrative officer to collect the credit card and sign the form to\nacknowledge that the action was completed. DOA also stated that it will issue periodic reminders\nto the cardholders, approving officials, and administrative officers of the requirement to\nimmediately notify the APC, or his/her designee when the cardholder/approving official either\nleaves the FDIC or moves to another FDIC position so that the APC can notify the contractor to\ncancel the account. The actions taken by DOA and future reminders to appropriate staff will\nimprove the internal controls over the cancellation of procurement credit cards.\n\nThis recommendation is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nRecommendation 6: Perform an analysis on a regular basis to determine whether\ncardholders are using the card. If a cardholder is not using the card on a fairly regular basis,\nconsider canceling the card privileges.\n\nDOA concurs with this recommendation. DOA stated that usage reports for both the credit cards\nand convenience checks are obtained from the contractor on a quarterly basis. Analysis of\ncardholder usage was conducted, and the results were shared with the approving officials to\ndetermine whether credit cards should be cancelled for certain cardholders. The APC analyzed the\nresponses and decided to expand the survey period to obtain a broader perspective on cardholder\nusage. DOA is in the process of analyzing the procurement credit card usage for 2002.\n\nThis recommendation is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nRecommendation 7: Review the spending limits for all cardholders and ensure that the limits\nreflect the extent of spending that they are likely to incur.\n\nDOA concurs with this recommendation. DOA stated that the APC has incorporated a process to\nanalyze the spending limits for cardholders on a quarterly basis to determine whether the spending\nthresholds or limits are appropriate. This evaluation is conducted in conjunction with the APC\xe2\x80\x99s\nanalysis of cardholder usage. DOA is analyzing the spending limits for all cardholders for 2002\nand expects to complete its analysis by March 31, 2003.\n\nThis recommendation is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nRecommendation 8: Conduct a risk assessment of the procurement card program and\nestablish the necessary control activities to mitigate the risks identified.\n\nDOA concurs with this recommendation. DOA stated that it will establish the procurement card\nprogram as an accountability unit and test the controls for those identified risks under the Chief\nFinancial Officers Act. It will establish the accountability unit by March 31, 2003 and testing will\n\n\n                                                 16\n\x0ctake place as dictated in the Corporation\xe2\x80\x99s annual Management Control Plan.\n\nThe recommendation is resolved but will remain undispositioned and open until we have\ndetermined that agreed-to corrective action has been completed and is effective.\n\nA summary chart showing management\xe2\x80\x99s responses to all recommendations is presented in\nAppendix III.\n\n\n\n\n                                               17\n\x0c                                                                                   APPENDIX I\n\n                               SCOPE AND METHODOLOGY\n\nTo accomplish our objective, we:\n\n\xe2\x80\xa2   Interviewed DOA personnel responsible for monitoring the FDIC\xe2\x80\x99s procurement credit card\n    program and personnel from various FDIC divisions and offices responsible for making and\n    approving credit card purchases.\n\n\xe2\x80\xa2   Reviewed policies and procedures, including the FDIC Acquisition Policy Manual, Section\n    9.E., entitled FDIC Procurement Credit Card Program.\n\n\xe2\x80\xa2   Reviewed the President\xe2\x80\x99s Council on Integrity and Efficiency (PCIE) and Executive Council\n    on Integrity and Efficiency (ECIE) guide to conducting a review of an agency\xe2\x80\x99s government\n    purchase card program.\n\n\xe2\x80\xa2   Reviewed the U.S. General Accounting Office\xe2\x80\x99s (GAO) Standards for Internal Control in the\n    Federal Government (GAO/AIMD-00-21.3.1, issued November 1999) and GAO\xe2\x80\x99s Internal\n    Control Management and Evaluation Tool (GAO-01-1008G, issued August 2001).\n\n\xe2\x80\xa2   Obtained and relied upon data from the Bank of America that contained all purchases made by\n    FDIC cardholders for the period of review, and conducted random attribute testing and data\n    mining. We examined all cardholder activity during the 2-year period ending December 31,\n    2001 to identify trends and indicators of improper purchases, such as purchases from\n    establishments that sell alcoholic beverages. From the unusual purchases identified, we\n    reviewed 32 in detail. In addition, we used data mining to identify any outstanding\n    procurement credit cards issued to former employees as of December 15, 2001.\n\nFor our random attribute sample, we selected 30 cardholders from a population of 132 cardholders\nwho had engaged in at least $1,000 of purchases during the last quarter of 2001. This approach\nenabled us to select cardholders who had actually used the procurement credit card. In addition, in\norder to facilitate testing the adequacy of control activities nation-wide, the cardholders were\nselected from the FDIC\xe2\x80\x99s Washington, Atlanta, Dallas, and Chicago regional offices.\n\nWe conducted the audit from February 2002 through September 2002 in accordance with generally\naccepted government auditing standards.\n\n\n\n\n                                                18\n\x0c                                                                                        APPENDIX II\n                                              CORPORATION COMMENTS\n\n        Federal Deposit Insurance Corporation\n        550 17th Street, NW, Washington, DC 20429                                      Division of Administration\n\n\n\n\n                                             January 24, 2003\n\nMEMORANDUM TO: Sharon M. Smith\n               Deputy Assistant Inspector General for Audits\n\n\nFROM:\n\n\nSUBJECT:                      Management Response to the OIG Report: FDIC Procurement Credit\n                              Card Program\n\nThe Division of Administration (DOA) has completed its review of the subject Office of\nInspector General (OIG) report. We appreciate the review performed by the OIG and its\nrecommendations to enhance and improve the overall Procurement Credit Card Program. In the\nOIG report there are eight recommendations addressed to the FDIC\xe2\x80\x99s Division of Administration\n(DOA). We have evaluated each recommendation, and have provided a detailed response to\ninclude planned corrective actions and expected completion dates as appropriate.\n\nManagement Decision:\n\nRecommendation 1: We recommend that the Director, DOA, provide periodic training to\nprocurement cardholders and approving officials in order to reiterate the policies and procedures\ngoverning the procurement credit card program. The policies over roles and responsibilities;\nsecurity over the card; procurement thresholds; permissible, prohibited, and restricted use;\nsupporting documentation requirements; repeated acquisitions from the same vendor (split\npurchases); refreshment/meal requirements; payment of sales taxes; and procedures for card\nusage should be reinforced.\n\nManagement Response 1: DOA appreciates the recommendation made by the OIG, and fully\nagrees that periodic training is important. As communicated to the OIG auditors during the\nreview, the DOA Acquisition Services Branch (ASB), as the Agency Program Coordinator\n(APC) for the Procurement Credit Card Program, has made training an integral component of the\nprogram in order to fully educate the universe of corporate users. In the initial training efforts to\nroll-out the Procurement Card Program, DOA developed presentation materials and conducted\nperiodic briefings to the corporate participants within the various FDIC divisions and offices to\nindoctrinate them to the requirements and guidelines that encompass the program. Attendance to\nthese briefings was mandatory to all procurement card holders and approving officials.\n\nMoreover, further confirmation of our commitment to ensure corporate awareness of the program\nwas our development effort of the online Procurement Credit Card training module that we\ninitiated and set in motion prior to the commencement of the OIG audit. The training module\nwas completed in December 2002 and will be rolled out to program participants by the end of\n\n\n                                                     19\n\x0cJanuary 2003. The Program\xe2\x80\x99s training policy is also being revised and will require all new\ncardholder applicants to take the course and receive a passing score prior to receiving the\nprocurement credit card. Completion of the training module will be recorded in the FDIC\nTraining Server, and the APC will have access to the training server to monitor cardholder\xe2\x80\x99s\ncompletion of the required training module. Existing cardholders will also be required to take\nperiodic training to refresh cardholders of their roles and responsibilities under the program.\nGiven the efforts made to date by the DOA APC, we believe management of the overall program\nhas been effective. In addition to training that we have provided to existing cardholders, DOA has\nestablished a website dedicated to the program that readily provides all pertinent information on\nthe program, to include policies and procedures. Additionally comprehensive oversight of the\nprogram is built into a three tiered approach to mitigate program risks. These include credit card\ntransaction approval by the Approving Official, proactive oversight by the APC, and a\ncomprehensive internal review program that continually evaluates and monitors the overall\ncorporate-wide program. As an issue is identified, APC takes immediate action to address the\ncause for the given condition. Actions may include working with the Approving Official to\naddress non-compliance issues, global email reminders, and/or program policy changes.\nAs shown in the OIG report, the number of non-compliance exceptions found (731) represent\napproximately one percent of the total credit card transactions (6,1882) reviewed by the OIG\nduring its audit. We believe that the low number of non-compliance instances cited by the OIG is\na direct result of the proactive oversight and previous training that DOA provided. DOA believes\nthat an error rate of one percent is evident that the risks associated with the program are being\nmitigated by the existing internal controls that the APC has established and implemented in\nmanaging the program.\nRecommendation 2: We recommend that the Director, DOA, use the FDIC\xe2\x80\x99s Acquisition Policy\nManual, Chapter 9, to define extravagant meals and refreshments and what constitutes an\nallowable and unallowable expense for meal purchases using the procurement credit card.\nManagement Response 2: DOA does not agree with the recommendation that \xe2\x80\x9cExtravagant\nMeal and Refreshments\xe2\x80\x9d be defined in the FDIC\xe2\x80\x99s Acquisition Policy Manual. The focus should\nnot be on creating a definition for \xe2\x80\x9cextravagant,\xe2\x80\x9d but should instead be directed on the adequacy\nof the internal controls that govern its approval. Extravagant, as defined, means \xe2\x80\x9cgiven to\nimprudent or lavish spending or exceeding reasonable limits,\xe2\x80\x9d DOA does not believe that the\nexamples cited by the OIG meet the intent of the definition, which we believe is self-explanatory.\n For each of the exceptions noted in the OIG report, proper approval was obtained.\nWe believe that the APM sufficiently addresses the purchase of meals and refreshments in a\nmanner that minimizes potential risks to the Corporation. Specifically, the purchase of all\nrefreshments and meals must be approved in advance and in writing at the Assistant Director-\nlevel or above in Headquarters or the Regional Director/Regional Manager in the Field. The\n1\n Information obtained from the OIG working papers.\n2\n Total Credit Card Transactions of 6,188 was compiled by the APC from the information obtained from the Bank of\nAmerica for purchases made during the calendar years 2000 and 2001. The scope was based on the narrative\ncontained in the Scope and Methodology section of the OIG draft report.\n\n\n\n\n                                                      20\n\x0ccurrent practice elevates the approval process to an executive level manager who has the ability\nto use their discretion as circumstances warrant. We believe this high-level of advanced written\napproval serves as an adequate internal control as it pertains to the use of the procurement card\nfor refreshments and meals.\n\n\nRecommendation 3: We recommend that the Director, DOA, use the FDIC\xe2\x80\x99s Acquisition Policy\nManual, Chapter 9, to prohibit the purchase of alcoholic beverages using the procurement credit\ncard.\n\nManagement Response 3: DOA does not agree with the recommendation to prohibit the\npurchase of alcoholic beverages using the procurement credit card. As with Response 2, above,\nappropriate controls are in place and alcohol may only be purchased using the procurement credit\ncard under these circumstances and controls. The current practice elevates the approval process\nto an executive level manager who has the ability to use their discretion as circumstances warrant.\n Other than this approval process, alcohol may not be purchased using the procurement credit\ncard.\n\n\nRecommendation 4: We recommend that the Director, DOA, use the FDIC\xe2\x80\x99s Acquisition Policy\nManual, Chapter 9, to require approving officials not be subordinates to the cardholders for\nwhom they approve purchases.\n\nManagement Response 4: DOA fully agrees with the recommendation that approving officials\nshould not be a subordinate to a cardholder for whom they approve purchases. Although not\nspecifically stated in the APM, this practice has always been in place and enforced by the Agency\nProgram Coordinator (APC). As discussed with the OIG audit team, the APC was fully aware of\nthe occurrence noted in the report where a subordinate employee served as the approving official\nto senior level employees who were cardholders. This cardholder/approving official relationship\nwas established by a Regional Director. When the APC recognized the atypical arrangement, the\nAPC notified the appropriate parties within the Division. It was determined that no specific\naction was to be taken until completion of the division-wide reorganization. After the\nreorganization, APC took appropriate action.\n\nTo address this program issue globally, DOA will incorporate language into procurement credit\ncard policy that clearly articulates the requirements of the approving official / cardholder\nrelationship before issuance of a procurement credit card. Specifically, the APM will prohibit\nsubordinate employees from being an approving official to a supervisor. DOA will incorporate\nthe requirement into policy by the end of the first quarter 2003.\n\nAdditionally, DOA is in the process of establishing a Letter of Appointment that will be issued to\nall Approving Officials detailing their specific roles and responsibilities. This is in addition to the\nDelegation Memos that are currently issued to all procurement credit card holders.\n\n\n\n\n                                                  21\n\x0cRecommendation 5: We recommend that the Director, DOA, enforce APM Section 9.E.6.e by\nreminding cardholders/approving officials of the requirement to immediately notify the APC, or\nhis/her designee when the cardholder/approving official either leaves the FDIC or moves to\nanother FDIC position so that the APC can notify the Bank of America to cancel the card.\n\nManagement Response 5: DOA appreciates the recommendation made by the OIG, and agrees\nthat immediate cancellation of the procurement credit card should be made as cardholders\nseparate from the Corporation or are reassigned within the FDIC. This practice has always been\nan important component of the procurement card program, and we believe the requirement is\nclearly communicated in Chapter 9 of the APM. In addition, the APC has directed communiqu\xc3\xa9\nto administrative officers that emphasize the importance that timely notification is made to the\nAPC in order to cancel the procurement card immediately. To enforce and effectively monitor\nthis area, the APC incorporated a process in 2000 to obtain, on a routine basis, employee\nseparation and reassignment information from the DOA Personnel Services Branch. The APC\nstaffs review the information to determine if any of the employees listed are cardholders and\ndetermine whether their procurement card was cancelled appropriately.\n\nFurther efforts by the APC to deal with timely cancellation of credit cards was made in August\n2002 whereby the APC issued interim guidance to the Corporation that addressed cancellation of\nthe procurement credit card during the pre-exit clearance process. Subsequent to this interim\nguidance, the Pre-Exit Clearance Circular was updated with the revised requirements. This also\nincluded updating the Pre-Exit Clearance Form to require the Administrative Officer to collect\nthe credit card and sign the form to acknowledge that the action was completed.\n\nThe internal controls that we have established over the program are effective; however, as with\nall important aspects of the program, we will issue periodic reminders to the cardholders,\napproving officials, and administrative officers of the requirement to immediately notify the\nAPC, or his/her designee when the cardholder/approving official either leaves the FDIC or moves\nto another FDIC position so that the APC can notify the contractor to cancel the account. DOA\nexpects to issue its first reminder for the New Year by January 31, 2003.\n\n\nRecommendation 6: We recommend that the Director, DOA, perform an analysis on a regular\nbasis to determine whether cardholders are using the card. If a cardholder is not using a card on a\nfairly regular basis, consider canceling the card privileges.\n\nManagement Response 6: DOA concurs with the recommendation. The APC has incorporated\ncardholder usage analysis as the program has evolved and grown over the last six years. The\nanalysis was part of the evaluative process as major program changes and enhancements were\nmade. In 2000, APC expanded its oversight program and began routine analysis of cardholder\nusage. Usage reports for both the credit cards and convenience checks are obtained from the\ncontractor on a quarterly basis. Analysis of the cardholder usage was conducted, and the results\nwere shared with the Approving Officials to determine whether credit cards should be cancelled\nfor certain card holders. The APC analyzed the responses and determined to expand the survey\nperiod to obtain a broader perspective on cardholder usage. DOA is in the process of analyzing\nthe procurement credit card usage for 2002. Expected completion will be March 31, 2003.\n\n\n                                                22\n\x0cRecommendation 7: We recommend that the Director, DOA, review the spending limits for all\ncardholders and ensure that the limits reflect the extent of spending that they are likely to see.\n\nManagement Response 7: DOA concurs with the recommendation. The APC has incorporated\na process to analyze the spending limits for cardholders on a quarterly basis to determine whether\nthe spending thresholds or limits are appropriate. This evaluation is conducted in conjunction\nwith APC\xe2\x80\x99s analysis of cardholder usage, as discussed in Management Response 6. DOA is in\nthe process of analyzing the spending limits for all cardholders for 2002. Expected completion\nfor this initial analysis will be March 31, 2003.\n\n\nRecommendation 8: We recommend that the Director, DOA, conduct a risk assessment of the\nprocurement card program and establish the necessary control activities to mitigate the risks\nidentified.\n\nManagement Response 8: DOA concurs with this recommendation. It is important to note that\nextensive internal controls have been incorporated into the procurement card program and that\noversight of the program includes routine risk assessment. However, due to the high-level of\nattention and interest given to the credit card programs throughout the federal government, DOA\nwill establish its program as an Accountability Unit and test the controls for those identified risks\nunder the Chief Financial Officers Act (CFOA). The Accountability Unit will be established by\nMarch 31, 2003, and testing will take place as dictated in the annual Management Control Plan\nsubmitted to the Office of Internal Control Management.\n\n\nIf you have any questions regarding the response, our point of contact for this matter is Andrew\nNickle, Audit Liaison for the Division of Administration. Mr. Nickle can be reached at (202)\n942-3190.\n\ncc: Dave McDermott\n    Vijay Deshpande\n\n\n\n\n                                                 23\n\x0c                                                                                                                                                            APPENDIX III\n                                                   MANAGEMENT RESPONSES TO RECOMMENDATIONS\nThis table presents the management responses that have been made on recommendations in our report and the status of recommendations as of the\ndate of report issuance. The information in this table is based on management\xe2\x80\x99s written response to our report.\n                                                                                                                                                              Open\n Rec.                                                                        Expected              Monetary       Resolveda :     Dispositionedb:              or\nNumber           Corrective Action: Taken or Planned/Status                Completion Date         Benefits       Yes or No          Yes or No               Closedc\n               DOA concurs with the recommendation and\n               completed an online procurement credit card\n               training module in December 2002 which will be\n               available to program participants by the end of\n               January 2003. In addition, existing cardholders\n               will also be required to take periodic training to\n               refresh cardholders on their roles and\n       1       responsibilities under the program.                         January 31, 2003           N/A             Yes                 No                  Open\n               DOA does not agree with this recommendation\n               and stated that the focus should not be on creating\n               a definition for extravagant, but should instead be\n               directed on the adequacy of the internal controls\n               that govern approval. OIG requests that DOA\n               reconsider its response to our report and provide\n       2       us additional comments.                                                                N/A              No                 No                  Open\n               DOA does not agree with this recommendation\n               and stated as with recommendation 2, above, that\n               appropriate controls are in place and alcohol may\n               only be purchased using the procurement credit\n               card under these circumstances and controls. OIG\n               requests that DOA reconsider its response to our\n       3       report and provide us additional comments.                                             N/A              No                 No                  Open\na\n    Resolved \xe2\x80\x93 (1) Management concurs with the recommendation and the planned corrective action is consistent with the recommendation.\n                (2) Management does not concur with the recommendation but planned alternative action is acceptable to the OIG.\n                (3) Management agrees to the OIG monetary benefits or a different amount, or no ($0) amount. Monetary benefits are considered resolved as long as\n                management provides an amount.\nb\n Dispositioned \xe2\x80\x93 The agreed-upon corrective action must be implemented, determined to be effective, and the actual amounts of monetary benefits achieved through\nimplementation identified. The OIG is responsible for determining whether the documentation provided by management is adequate to disposition the recommendation.\nc\n    Once the OIG dispositions the recommendation, it can then be closed.\n\n                                                                                       24\n\x0c                                                                                                                          Open\n Rec.                                                            Expected         Monetary   Resolved:   Dispositioned:     or\nNumber     Corrective Action: Taken or Planned/Status          Completion Date    Benefits   Yes or No     Yes or No      Closed\n         DOA concurs with the recommendation and will\n         incorporate language into procurement credit card\n         policy that clearly articulates the requirements of\n         the approving official/cardholder relationship\n         before issuance of a procurement credit card.\n  4                                                            March 31, 2003       N/A        Yes            No          Open\n         DOA concurs with the recommendation and has\n         revised the Pre-Exit Clearance Circular. In\n         addition, DOA will issue periodic reminders to the\n         cardholders, approving officials, and\n         administrative officers of the requirement to\n         immediately notify the APC, or his/her designee\n         when the cardholder/approving official either\n         leaves the FDIC or moves to another FDIC\n         position so that the APC can notify the contractor\n  5      to cancel the account.                                January 31, 2003     N/A        Yes            No          Open\n         DOA concurs with the recommendation and is in\n         the process of analyzing the procurement credit\n  6      card usage for 2002.                                  March 31, 2003       N/A        Yes            No          Open\n         DOA concurs with the recommendation and has\n         incorporated a process to analyze the spending\n         limits for cardholders on a quarterly basis to\n         determine whether the spending thresholds or\n  7      limits are appropriate.                               March 31, 2003       N/A        Yes            No          Open\n         DOA concurred with the recommendation and\n         will establish its program as an Accountability\n         Unit and test controls for those identified risks\n  8      under the Chief Financial Officers Act.               March 31, 2003       N/A        Yes            No          Open\n\n\n\n\n                                                                         25\n\x0c'